Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-18 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 18, 2018 at 1:53 PM Tim Hollebeek wrote: > The problem is that the attackers get to choose the CA they use, so > multi-perspective validation doesn't provide any benefits unless everyone > has to do it. > > I brought it up several times at the validation working group and as a >

RE: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-18 Thread Tim Hollebeek via dev-security-policy
zilla-dev-security- > policy > Subject: Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable > > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > > > I think it;s worth calling out that Let's Encrypt has implemented what > > appears to

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-18 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 18, 2018 at 7:41 AM Rob Stradling wrote: > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > > > I think it;s worth calling out that Let's Encrypt has implemented what > > appears to be a relatively simple mitigation: > > >

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-18 Thread Rob Stradling via dev-security-policy
On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > I think it;s worth calling out that Let's Encrypt has implemented what > appears to be a relatively simple mitigation: > https://community.letsencrypt.org/t/edns-buffer-size-changing-to-512-bytes/77945 Sectigo implemented this

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-15 Thread Wayne Thayer via dev-security-policy
On Tue, Dec 11, 2018 at 10:27 AM Hector Martin 'marcan' via dev-security-policy wrote: > On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > > Is this new from the past discussion? > > I think what's new is someone actually tried this, and found 5 CAs that > are vulnerable and for

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Leo Grove via dev-security-policy
On Tuesday, December 11, 2018 at 11:27:52 AM UTC-6, Hector Martin 'marcan' wrote: > On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > > Is this new from the past discussion? > > I think what's new is someone actually tried this, and found 5 CAs that > are vulnerable and for which

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Hector Martin 'marcan' via dev-security-policy
On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > Is this new from the past discussion? I think what's new is someone actually tried this, and found 5 CAs that are vulnerable and for which this attack works in practice. >

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Ryan Sleevi via dev-security-policy
On Tue, Dec 11, 2018 at 11:34 AM Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I figured this presentation might be of interest to this list: > > > https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf > > It seems they

DNS fragmentation attack subverts DV, 5 public CAs vulnerable

2018-12-11 Thread Hector Martin via dev-security-policy
I figured this presentation might be of interest to this list: https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf It seems they found 5 (unspecified) public CAs out of 17 tested were vulnerable to this attack, which can be performed by an off-path attacker.